admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden API security: input validation, safe auth extraction, new tests, and deploy config

Browse Source 
Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-03-02 09:48:01 -06:00
parent 56d6fa4514
commit 7690f07a2b
123 changed files with 8321 additions and 750 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/dto/requests/contractor.go
View File

@@ -8,13 +8,13 @@ type CreateContractorRequest struct {
Phone string `json:"phone" validate:"max=20"`
Email string `json:"email" validate:"omitempty,email,max=254"`
Website string `json:"website" validate:"max=200"`
Notes string `json:"notes"`
Notes string `json:"notes" validate:"max=10000"`
StreetAddress string `json:"street_address" validate:"max=255"`
City string `json:"city" validate:"max=100"`
StateProvince string `json:"state_province" validate:"max=100"`
PostalCode string `json:"postal_code" validate:"max=20"`
SpecialtyIDs []uint `json:"specialty_ids"`
Rating *float64 `json:"rating"`
SpecialtyIDs []uint `json:"specialty_ids" validate:"omitempty,max=20"`
Rating *float64 `json:"rating" validate:"omitempty,min=0,max=5"`
IsFavorite *bool `json:"is_favorite"`
}
@@ -25,13 +25,13 @@ type UpdateContractorRequest struct {
Phone *string `json:"phone" validate:"omitempty,max=20"`
Email *string `json:"email" validate:"omitempty,email,max=254"`
Website *string `json:"website" validate:"omitempty,max=200"`
Notes *string `json:"notes"`
Notes *string `json:"notes" validate:"omitempty,max=10000"`
StreetAddress *string `json:"street_address" validate:"omitempty,max=255"`
City *string `json:"city" validate:"omitempty,max=100"`
StateProvince *string `json:"state_province" validate:"omitempty,max=100"`
PostalCode *string `json:"postal_code" validate:"omitempty,max=20"`
SpecialtyIDs []uint `json:"specialty_ids"`
Rating *float64 `json:"rating"`
SpecialtyIDs []uint `json:"specialty_ids" validate:"omitempty,max=20"`
Rating *float64 `json:"rating" validate:"omitempty,min=0,max=5"`
IsFavorite *bool `json:"is_favorite"`
ResidenceID *uint `json:"residence_id"`
}